When employers address cybersecurity, they often focus on financial data and intellectual property. But there’s another area that’s just as important and typically much more vulnerable: HR information.
Many organizations have a huge amount of data about both current and former employees, as well as job candidates, stored on their servers or in the cloud. And this information tends to be at great risk because, even if it’s encrypted in storage, HR staff often share HR information via email, text and instant messaging.
Assess your risk
A good first step to take is to assess your risk.
- Conduct an internal audit of the types of employment and benefits information you gather
- how much data of each type you’re currently retaining
- where it’s stored
- who’s using it and how.
Don’t be surprised if you discover duplicates regarding where data is stored. Many organizations also discover that they’ve been holding on to HR data for far too long. You may be shocked to learn that employees aren’t following security protocols, assuming you have them in place.
4 guidelines to follow
To better protect sensitive HR information, follow these four guidelines:
1. Collect only what’s absolutely needed.
Being too thorough on the collection of HR information for past and present employees can create a problem. Ideally, you want to establish a list of set data points to collect, appropriate to your needs, and limit yourself to that information.
2. Encrypt everything.
Following an audit of your HR data, you might find that some sensitive information isn’t encrypted. It is important to know precisely where every bit of employment-related data is stored and shared. Safeguarding HR Information (shrm.org)
3. Implement strict policies governing who may access and use HR data.
Carefully devised, clearly worded and regularly updated cybersecurity policies are now a must for every type of organization — no matter how big or small. Safeguarding HR Information (shrm.org)
One important concept to integrate into your policies is “least privilege.” This is the general rule that employees should be granted only the absolute minimum levels of access needed to perform their job functions.
4. Retain data for limited periods.
They say on the Internet, or more specifically the cloud, everything lasts forever. But it doesn’t have to. Regularly delete HR data that you no longer need. Just be sure to comply with federal and state statutes for file retention related to tax reporting and other important matters, including legal investigations.
Stay out of the dark
There’s reportedly a huge market for stolen HR information on the “dark web” — the alternate version of the Internet where hackers go to sell their ill-gotten gains. Be sure to take the necessary steps to protect your organization because the associated costs of a data leak, HR or otherwise, can be devastating.